a1d9edc2df07fe26db889e47bdad695300061fd4782042fe3292081277e279b1

Analysis

max time kernel
147s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30/09/2024, 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
Size

361KB
MD5

036e6998705d1ff722db87ab00e7770d
SHA1

c4d281be25c052b59e354a0ed90c50d4d354bbc3
SHA256

a1d9edc2df07fe26db889e47bdad695300061fd4782042fe3292081277e279b1
SHA512

2b1daf10aa5565ba6bab9161e3e3061cfcf52ede9b2dfcde71e06d1470944e2451c79e72b648418f475e86b102b7f4328a22f02c3de15b02b8899a7c3929e1f9
SSDEEP

6144:2flfAsiL4lIJjiJcbI03GBc3ucY5DCSjX:2flfAsiVGjSGecvX

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 64 IoCs

pid	Process
2532	rljdywqoidavtnif.exe
2732	CreateProcess.exe
2856	vpnhcausmh.exe
2692	CreateProcess.exe
2668	CreateProcess.exe
2216	i_vpnhcausmh.exe
2036	CreateProcess.exe
1716	usmkezxrpj.exe
1824	CreateProcess.exe
1616	CreateProcess.exe
1660	i_usmkezxrpj.exe
1680	CreateProcess.exe
1208	heztrljeyw.exe
1560	CreateProcess.exe
1844	CreateProcess.exe
1404	i_heztrljeyw.exe
580	CreateProcess.exe
316	wrojdbvtoi.exe
1684	CreateProcess.exe
1524	CreateProcess.exe
1516	i_wrojdbvtoi.exe
2332	CreateProcess.exe
3024	rljdbvqoig.exe
2944	CreateProcess.exe
2628	CreateProcess.exe
2712	i_rljdbvqoig.exe
1408	CreateProcess.exe
824	dbvtnigays.exe
1292	CreateProcess.exe
2780	CreateProcess.exe
3064	i_dbvtnigays.exe
1828	CreateProcess.exe
2420	tnifaysnkf.exe
1120	CreateProcess.exe
1008	CreateProcess.exe
1692	i_tnifaysnkf.exe
1536	CreateProcess.exe
1664	fdxspkicwu.exe
2852	CreateProcess.exe
2992	CreateProcess.exe
2152	i_fdxspkicwu.exe
2192	CreateProcess.exe
2208	cxvpkhczuo.exe
2960	CreateProcess.exe
1392	CreateProcess.exe
444	i_cxvpkhczuo.exe
2524	CreateProcess.exe
988	pnhczurmge.exe
1608	CreateProcess.exe
2652	CreateProcess.exe
1968	i_pnhczurmge.exe
2864	CreateProcess.exe
2888	ecwrpjhbwt.exe
2044	CreateProcess.exe
1052	CreateProcess.exe
2292	i_ecwrpjhbwt.exe
2024	CreateProcess.exe
2324	bzuomgeylj.exe
1408	CreateProcess.exe
2780	CreateProcess.exe
2668	i_bzuomgeylj.exe
2360	CreateProcess.exe
1120	rojdbvtoig.exe
2420	CreateProcess.exe

Loads dropped DLL 62 IoCs

pid	Process
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2856	vpnhcausmh.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
1716	usmkezxrpj.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
1208	heztrljeyw.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
316	wrojdbvtoi.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
3024	rljdbvqoig.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
824	dbvtnigays.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2420	tnifaysnkf.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
1664	fdxspkicwu.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2208	cxvpkhczuo.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
988	pnhczurmge.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2888	ecwrpjhbwt.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2324	bzuomgeylj.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
1120	rojdbvtoig.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
348	geywqlidbv.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2708	vtnlfaysqk.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
1656	tnlfdxsqki.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
1136	icxvpnhcau.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
796	xrpkhcwuom.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2300	mkezxrpjeb.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2876	jhcwuomgbz.exe
2532	rljdywqoidavtnif.exe

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	usmkezxrpj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	heztrljeyw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rljdbvqoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dbvtnigays.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	icxvpnhcau.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jhcwuomgbz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rljdywqoidavtnif.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vpnhcausmh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pnhczurmge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecwrpjhbwt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wrojdbvtoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cxvpkhczuo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bzuomgeylj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vtnlfaysqk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnlfdxsqki.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mkezxrpjeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tnifaysnkf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fdxspkicwu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rojdbvtoig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	geywqlidbv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xrpkhcwuom.exe

Gathers network information 2 TTPs 20 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3020	ipconfig.exe
1828	ipconfig.exe
936	ipconfig.exe
2252	ipconfig.exe
2392	ipconfig.exe
2372	ipconfig.exe
2084	ipconfig.exe
2404	ipconfig.exe
2952	ipconfig.exe
1524	ipconfig.exe
2456	ipconfig.exe
976	ipconfig.exe
2832	ipconfig.exe
1680	ipconfig.exe
2824	ipconfig.exe
1428	ipconfig.exe
2424	ipconfig.exe
2180	ipconfig.exe
2296	ipconfig.exe
2040	ipconfig.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "433895979"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a015b5608513db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000ded4a0a49fb6647a753f6463ad3e7498238308111e9d4e0e04f4bad8305d5136000000000e80000000020000200000001e7bb4871c1387e4fe3f94888627978ab062ff3b785a4ea9a112b4c828c4cc6890000000c744ea6457a41e8f90aac296455853cd00a4cf880f9357914a969f433a5dd62fd4fcd1df540afe653dce0381aa3a0641f982db86df617753888343c6205f625b274ff572ac719631a23d62d7d61b4a300578bad0f7db74dc68728158f8abd8b13c75aa8c776a8c77f2258bba792e5dce8b74145636978e7a7c714c6dc59dd22e242986eebccfa94f3d97dda28a98fd3c40000000d7d91b09c5d239c7f11ef98b5c29af7caa0d7ce742d2a18d3481c2f47af9a934c0f6d1a6469a0f540e0473dd876fa7514f581b399838dd21aaff891178b1b3a9	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000953bd8210872ea40aad5946cc0771cd300000000020000000000106600000001000020000000b09c3d78d058f559c178fe90c87fa55325827f7911879916a7581984c4b3ffab000000000e800000000200002000000027250763fb86caea052eacfbb40a6f957bf1b2becec79f540131c267fecc69f6200000005adc27db358333107716be5d67c7700aa105aa203809706b1e223b86858b0f5840000000ec3c79369bd8a2c5e7b246fe32affcb1629fe6ee6a5bc393c5b2f6b368c05ad571642258102cfdfb393ae21a737050417ec373b0f1f332605151f5db26dd6a48	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{87D2F801-7F78-11EF-8202-7A9F8CACAEA3} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2532	rljdywqoidavtnif.exe
2856	vpnhcausmh.exe
2856	vpnhcausmh.exe
2856	vpnhcausmh.exe
2856	vpnhcausmh.exe
2856	vpnhcausmh.exe
2856	vpnhcausmh.exe
2856	vpnhcausmh.exe
2216	i_vpnhcausmh.exe
2216	i_vpnhcausmh.exe
2216	i_vpnhcausmh.exe
2216	i_vpnhcausmh.exe
2216	i_vpnhcausmh.exe
2216	i_vpnhcausmh.exe
2216	i_vpnhcausmh.exe
1716	usmkezxrpj.exe
1716	usmkezxrpj.exe
1716	usmkezxrpj.exe
1716	usmkezxrpj.exe
1716	usmkezxrpj.exe
1716	usmkezxrpj.exe
1716	usmkezxrpj.exe
1660	i_usmkezxrpj.exe
1660	i_usmkezxrpj.exe
1660	i_usmkezxrpj.exe
1660	i_usmkezxrpj.exe
1660	i_usmkezxrpj.exe
1660	i_usmkezxrpj.exe
1660	i_usmkezxrpj.exe
1208	heztrljeyw.exe

Suspicious behavior: LoadsDriver 20 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found
480	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2216	i_vpnhcausmh.exe
Token: SeDebugPrivilege	1660	i_usmkezxrpj.exe
Token: SeDebugPrivilege	1404	i_heztrljeyw.exe
Token: SeDebugPrivilege	1516	i_wrojdbvtoi.exe
Token: SeDebugPrivilege	2712	i_rljdbvqoig.exe
Token: SeDebugPrivilege	3064	i_dbvtnigays.exe
Token: SeDebugPrivilege	1692	i_tnifaysnkf.exe
Token: SeDebugPrivilege	2152	i_fdxspkicwu.exe
Token: SeDebugPrivilege	444	i_cxvpkhczuo.exe
Token: SeDebugPrivilege	1968	i_pnhczurmge.exe
Token: SeDebugPrivilege	2292	i_ecwrpjhbwt.exe
Token: SeDebugPrivilege	2668	i_bzuomgeylj.exe
Token: SeDebugPrivilege	1692	i_rojdbvtoig.exe
Token: SeDebugPrivilege	1000	i_geywqlidbv.exe
Token: SeDebugPrivilege	1012	i_vtnlfaysqk.exe
Token: SeDebugPrivilege	1172	i_tnlfdxsqki.exe
Token: SeDebugPrivilege	1616	i_icxvpnhcau.exe
Token: SeDebugPrivilege	1844	i_xrpkhcwuom.exe
Token: SeDebugPrivilege	1176	i_mkezxrpjeb.exe
Token: SeDebugPrivilege	2892	i_jhcwuomgbz.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1876	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1876	iexplore.exe
1876	iexplore.exe
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE
2696	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2532	2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2532	2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2532	2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe	31
PID 2132 wrote to memory of 2532	2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe	31
PID 2132 wrote to memory of 1876	2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe	32
PID 2132 wrote to memory of 1876	2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe	32
PID 2132 wrote to memory of 1876	2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe	32
PID 2132 wrote to memory of 1876	2132	036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe	32
PID 1876 wrote to memory of 2696	1876	iexplore.exe	33
PID 1876 wrote to memory of 2696	1876	iexplore.exe	33
PID 1876 wrote to memory of 2696	1876	iexplore.exe	33
PID 1876 wrote to memory of 2696	1876	iexplore.exe	33
PID 2532 wrote to memory of 2732	2532	rljdywqoidavtnif.exe	34
PID 2532 wrote to memory of 2732	2532	rljdywqoidavtnif.exe	34
PID 2532 wrote to memory of 2732	2532	rljdywqoidavtnif.exe	34
PID 2532 wrote to memory of 2732	2532	rljdywqoidavtnif.exe	34
PID 2856 wrote to memory of 2692	2856	vpnhcausmh.exe	37
PID 2856 wrote to memory of 2692	2856	vpnhcausmh.exe	37
PID 2856 wrote to memory of 2692	2856	vpnhcausmh.exe	37
PID 2856 wrote to memory of 2692	2856	vpnhcausmh.exe	37
PID 2532 wrote to memory of 2668	2532	rljdywqoidavtnif.exe	40
PID 2532 wrote to memory of 2668	2532	rljdywqoidavtnif.exe	40
PID 2532 wrote to memory of 2668	2532	rljdywqoidavtnif.exe	40
PID 2532 wrote to memory of 2668	2532	rljdywqoidavtnif.exe	40
PID 2532 wrote to memory of 2036	2532	rljdywqoidavtnif.exe	42
PID 2532 wrote to memory of 2036	2532	rljdywqoidavtnif.exe	42
PID 2532 wrote to memory of 2036	2532	rljdywqoidavtnif.exe	42
PID 2532 wrote to memory of 2036	2532	rljdywqoidavtnif.exe	42
PID 1716 wrote to memory of 1824	1716	usmkezxrpj.exe	44
PID 1716 wrote to memory of 1824	1716	usmkezxrpj.exe	44
PID 1716 wrote to memory of 1824	1716	usmkezxrpj.exe	44
PID 1716 wrote to memory of 1824	1716	usmkezxrpj.exe	44
PID 2532 wrote to memory of 1616	2532	rljdywqoidavtnif.exe	47
PID 2532 wrote to memory of 1616	2532	rljdywqoidavtnif.exe	47
PID 2532 wrote to memory of 1616	2532	rljdywqoidavtnif.exe	47
PID 2532 wrote to memory of 1616	2532	rljdywqoidavtnif.exe	47
PID 2532 wrote to memory of 1680	2532	rljdywqoidavtnif.exe	49
PID 2532 wrote to memory of 1680	2532	rljdywqoidavtnif.exe	49
PID 2532 wrote to memory of 1680	2532	rljdywqoidavtnif.exe	49
PID 2532 wrote to memory of 1680	2532	rljdywqoidavtnif.exe	49
PID 1208 wrote to memory of 1560	1208	heztrljeyw.exe	51
PID 1208 wrote to memory of 1560	1208	heztrljeyw.exe	51
PID 1208 wrote to memory of 1560	1208	heztrljeyw.exe	51
PID 1208 wrote to memory of 1560	1208	heztrljeyw.exe	51
PID 2532 wrote to memory of 1844	2532	rljdywqoidavtnif.exe	54
PID 2532 wrote to memory of 1844	2532	rljdywqoidavtnif.exe	54
PID 2532 wrote to memory of 1844	2532	rljdywqoidavtnif.exe	54
PID 2532 wrote to memory of 1844	2532	rljdywqoidavtnif.exe	54
PID 2532 wrote to memory of 580	2532	rljdywqoidavtnif.exe	56
PID 2532 wrote to memory of 580	2532	rljdywqoidavtnif.exe	56
PID 2532 wrote to memory of 580	2532	rljdywqoidavtnif.exe	56
PID 2532 wrote to memory of 580	2532	rljdywqoidavtnif.exe	56
PID 316 wrote to memory of 1684	316	wrojdbvtoi.exe	58
PID 316 wrote to memory of 1684	316	wrojdbvtoi.exe	58
PID 316 wrote to memory of 1684	316	wrojdbvtoi.exe	58
PID 316 wrote to memory of 1684	316	wrojdbvtoi.exe	58
PID 2532 wrote to memory of 1524	2532	rljdywqoidavtnif.exe	61
PID 2532 wrote to memory of 1524	2532	rljdywqoidavtnif.exe	61
PID 2532 wrote to memory of 1524	2532	rljdywqoidavtnif.exe	61
PID 2532 wrote to memory of 1524	2532	rljdywqoidavtnif.exe	61
PID 2532 wrote to memory of 2332	2532	rljdywqoidavtnif.exe	63
PID 2532 wrote to memory of 2332	2532	rljdywqoidavtnif.exe	63
PID 2532 wrote to memory of 2332	2532	rljdywqoidavtnif.exe	63
PID 2532 wrote to memory of 2332	2532	rljdywqoidavtnif.exe	63

C:\Users\Admin\AppData\Local\Temp\036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\036e6998705d1ff722db87ab00e7770d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Temp\rljdywqoidavtnif.exe
  C:\Temp\rljdywqoidavtnif.exe run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vpnhcausmh.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2732
  - - C:\Temp\vpnhcausmh.exe
      C:\Temp\vpnhcausmh.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2856
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2692
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2392
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vpnhcausmh.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2668
  - - C:\Temp\i_vpnhcausmh.exe
      C:\Temp\i_vpnhcausmh.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2216
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\usmkezxrpj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2036
  - - C:\Temp\usmkezxrpj.exe
      C:\Temp\usmkezxrpj.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1824
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2424
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_usmkezxrpj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1616
  - - C:\Temp\i_usmkezxrpj.exe
      C:\Temp\i_usmkezxrpj.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1660
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\heztrljeyw.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1680
  - - C:\Temp\heztrljeyw.exe
      C:\Temp\heztrljeyw.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1208
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1560
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2456
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_heztrljeyw.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1844
  - - C:\Temp\i_heztrljeyw.exe
      C:\Temp\i_heztrljeyw.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1404
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\wrojdbvtoi.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:580
  - - C:\Temp\wrojdbvtoi.exe
      C:\Temp\wrojdbvtoi.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:316
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1684
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2180
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_wrojdbvtoi.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1524
  - - C:\Temp\i_wrojdbvtoi.exe
      C:\Temp\i_wrojdbvtoi.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1516
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rljdbvqoig.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2332
  - - C:\Temp\rljdbvqoig.exe
      C:\Temp\rljdbvqoig.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3024
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2944
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2296
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rljdbvqoig.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2628
  - - C:\Temp\i_rljdbvqoig.exe
      C:\Temp\i_rljdbvqoig.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2712
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\dbvtnigays.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1408
  - - C:\Temp\dbvtnigays.exe
      C:\Temp\dbvtnigays.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:824
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1292
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2372
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_dbvtnigays.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2780
  - - C:\Temp\i_dbvtnigays.exe
      C:\Temp\i_dbvtnigays.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3064
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tnifaysnkf.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1828
  - - C:\Temp\tnifaysnkf.exe
      C:\Temp\tnifaysnkf.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2420
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1120
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2040
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tnifaysnkf.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1008
  - - C:\Temp\i_tnifaysnkf.exe
      C:\Temp\i_tnifaysnkf.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1692
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\fdxspkicwu.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:1536
  - - C:\Temp\fdxspkicwu.exe
      C:\Temp\fdxspkicwu.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1664
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2852
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2824
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_fdxspkicwu.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2992
  - - C:\Temp\i_fdxspkicwu.exe
      C:\Temp\i_fdxspkicwu.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2152
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\cxvpkhczuo.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2192
  - - C:\Temp\cxvpkhczuo.exe
      C:\Temp\cxvpkhczuo.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2208
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2960
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:976
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_cxvpkhczuo.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1392
  - - C:\Temp\i_cxvpkhczuo.exe
      C:\Temp\i_cxvpkhczuo.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:444
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\pnhczurmge.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2524
  - - C:\Temp\pnhczurmge.exe
      C:\Temp\pnhczurmge.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:988
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1608
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2084
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_pnhczurmge.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2652
  - - C:\Temp\i_pnhczurmge.exe
      C:\Temp\i_pnhczurmge.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1968
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\ecwrpjhbwt.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2864
  - - C:\Temp\ecwrpjhbwt.exe
      C:\Temp\ecwrpjhbwt.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2888
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2044
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2404
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_ecwrpjhbwt.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:1052
  - - C:\Temp\i_ecwrpjhbwt.exe
      C:\Temp\i_ecwrpjhbwt.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2292
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\bzuomgeylj.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2024
  - - C:\Temp\bzuomgeylj.exe
      C:\Temp\bzuomgeylj.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2324
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:1408
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:3020
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_bzuomgeylj.exe ups_ins
    3⤵
    - Executes dropped EXE
    PID:2780
  - - C:\Temp\i_bzuomgeylj.exe
      C:\Temp\i_bzuomgeylj.exe ups_ins
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2668
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\rojdbvtoig.exe ups_run
    3⤵
    - Executes dropped EXE
    PID:2360
  - - C:\Temp\rojdbvtoig.exe
      C:\Temp\rojdbvtoig.exe ups_run
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1120
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        Executes dropped EXE
        
        PID:2420
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1828
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_rojdbvtoig.exe ups_ins
    3⤵
    PID:1596
  - - C:\Temp\i_rojdbvtoig.exe
      C:\Temp\i_rojdbvtoig.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1692
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\geywqlidbv.exe ups_run
    3⤵
    PID:2808
  - - C:\Temp\geywqlidbv.exe
      C:\Temp\geywqlidbv.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:348
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1360
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2832
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_geywqlidbv.exe ups_ins
    3⤵
    PID:2972
  - - C:\Temp\i_geywqlidbv.exe
      C:\Temp\i_geywqlidbv.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1000
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\vtnlfaysqk.exe ups_run
    3⤵
    PID:804
  - - C:\Temp\vtnlfaysqk.exe
      C:\Temp\vtnlfaysqk.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2708
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2820
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2952
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_vtnlfaysqk.exe ups_ins
    3⤵
    PID:1700
  - - C:\Temp\i_vtnlfaysqk.exe
      C:\Temp\i_vtnlfaysqk.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1012
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\tnlfdxsqki.exe ups_run
    3⤵
    PID:2840
  - - C:\Temp\tnlfdxsqki.exe
      C:\Temp\tnlfdxsqki.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1656
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2236
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1428
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_tnlfdxsqki.exe ups_ins
    3⤵
    PID:2164
  - - C:\Temp\i_tnlfdxsqki.exe
      C:\Temp\i_tnlfdxsqki.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1172
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\icxvpnhcau.exe ups_run
    3⤵
    PID:1424
  - - C:\Temp\icxvpnhcau.exe
      C:\Temp\icxvpnhcau.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:1136
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1724
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:936
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_icxvpnhcau.exe ups_ins
    3⤵
    PID:1624
  - - C:\Temp\i_icxvpnhcau.exe
      C:\Temp\i_icxvpnhcau.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1616
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\xrpkhcwuom.exe ups_run
    3⤵
    PID:1032
  - - C:\Temp\xrpkhcwuom.exe
      C:\Temp\xrpkhcwuom.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:796
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:1560
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1680
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_xrpkhcwuom.exe ups_ins
    3⤵
    PID:2476
  - - C:\Temp\i_xrpkhcwuom.exe
      C:\Temp\i_xrpkhcwuom.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1844
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\mkezxrpjeb.exe ups_run
    3⤵
    PID:1564
  - - C:\Temp\mkezxrpjeb.exe
      C:\Temp\mkezxrpjeb.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2300
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:876
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:2252
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_mkezxrpjeb.exe ups_ins
    3⤵
    PID:1684
  - - C:\Temp\i_mkezxrpjeb.exe
      C:\Temp\i_mkezxrpjeb.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1176
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\jhcwuomgbz.exe ups_run
    3⤵
    PID:2908
  - - C:\Temp\jhcwuomgbz.exe
      C:\Temp\jhcwuomgbz.exe ups_run
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2876
    - - C:\temp\CreateProcess.exe
        
        C:\temp\CreateProcess.exe C:\windows\system32\ipconfig.exe /release
        5⤵
        
        PID:2920
      - C:\windows\system32\ipconfig.exe
        
        C:\windows\system32\ipconfig.exe /release
        6⤵
        Gathers network information
        
        PID:1524
- - C:\temp\CreateProcess.exe
    C:\temp\CreateProcess.exe C:\Temp\i_jhcwuomgbz.exe ups_ins
    3⤵
    PID:2116
  - - C:\Temp\i_jhcwuomgbz.exe
      C:\Temp\i_jhcwuomgbz.exe ups_ins
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2892
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" http://xytets.com:2345/t.asp?os=home
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1876 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Temp\dbvtnigays.exe

Filesize
361KB

MD5
d198e24fdeb4ef4ab5bc3eec53a7ca6d

SHA1
ec5e57cc13e0e28ce27e699d97e7c1a83d5a51cb

SHA256
260da4ddc11353e2ed7e057cc105818f4f2250c061facf3c1b221048609ecbc0

SHA512
ba797c28da13c20d653ca9a630d0f178b1b59af2a6ebb6268a39a2d9e5ed48e8e2081ca117b212bbaeac590e926fb4c2c90d5fca4cd6d53f033f0925bd1357c9

Download Submit
C:\Temp\fdxspkicwu.exe

Filesize
361KB

MD5
b64ad382e3257a0f23c28f609b88ff50

SHA1
d5b964c3fddcd43d81f80d3ef8dcfb71c4acb52c

SHA256
e3ab7fe663ed592be6e4f527f082b94af338396e3ce7e5e52622ebfd63d2ef6e

SHA512
97e91d9700637c4e3188beed63fb8a2ffe00b9d1ac547a5bbc78d275bcb6a8500262897a6d518bcb007186db620ef46c37c0d660542a53eba77d0c112bdf5e03

Download Submit
C:\Temp\heztrljeyw.exe

Filesize
361KB

MD5
90a3ec15aa06dbb699da49933c7fb3be

SHA1
09bf448c06adc4c348014341638c97d6ea9833fb

SHA256
a4eabba7f4e7fc5bbf7aff191ab9de8e613af1c118ca64a4e4a27c11277adb1b

SHA512
c2f4ab40e8bbae08b5f788cd2d0e799c8002bc2092b48dd4ffddb73976a9595c16fa144a5bafdf6fc01ae39d7853ed99d8a4e3cadafda00e0479c9b96dae0ffc

Download Submit
C:\Temp\i_dbvtnigays.exe

Filesize
361KB

MD5
ea3805eeacab11521b0ee6c94586ec18

SHA1
8e3305904c8b35bb1d8f29a6081c8de531f480fe

SHA256
3696f8c7a0e3937155b13900a576d82a58693a7bf3004fda9449f1e6cfe95975

SHA512
4e151c0d9c6df26e63936311ee017ab43b2322c81cd8c2c707033ddf40940a458bca48266ced626f19628321c959b0985cfcab312502242269132f81726c5aa5

Download Submit
C:\Temp\i_heztrljeyw.exe

Filesize
361KB

MD5
42da5399dcb7749ec204c19c143a39dc

SHA1
1b42f069cc2747b81b4a8e8add40b1a1937b7cb3

SHA256
a33d059b61a63b8a09ffd804f65c72b37402c9931a6adc228aaf11c443473042

SHA512
e9803c49086b0af3f8019075fea78210844465011556691d1a1c399d927551b2f9653d03eb40823c4280578c23ce5b6e83be0e6170e05a359be0d8e4f919c85f

Download Submit
C:\Temp\i_rljdbvqoig.exe

Filesize
361KB

MD5
3ae1d2c82fabc39534cbb31474a839ed

SHA1
d1f9cfa8ac4c6e452fd997e8541bc8377db74593

SHA256
1889d04d8c40a93383b25d8a31d434212fea8682c5b9368d0ae0323c7bff42d9

SHA512
b9ffdd45fc15ca2b0a6dc5a9b282e5e4d67e307c28799142061573248c38e853828dc1420190b9cbbc1e3dcbd82bc603e09f12120901d53907e70fc08735fba9

Download Submit
C:\Temp\i_tnifaysnkf.exe

Filesize
361KB

MD5
ec0d9b029e3cd29f84b1911cdf811e8f

SHA1
785e639ce3fbd7cbe451276640e84bd9b614bae5

SHA256
e9ec1176c69ba60586243c22df1310af00acd35f155ab8c1f6315f65622ccfe0

SHA512
ff75552edd4d7553c2f0508597474d68a183fbdee0ca203f0af966c0b44383a685440f57de3c7bd3d37ff90bf6d6e0bb61ab7b727ca302c5cfd9fdce7934fca9

Download Submit
C:\Temp\i_usmkezxrpj.exe

Filesize
361KB

MD5
3d00be7c8fb8b2a63d4c44a7c84d9558

SHA1
9619629f3c25a027b0da14d7acadad1d506a1b47

SHA256
681e2f065a3669fd901cc6c8cf02d18068aba5acdbb1c755576635f8334f6975

SHA512
e3d9d6468e54bae0433995da9e6db12fce2e6ab78a1c7bf51c46aa465f4350735958c836fd9461f68dd34fa2564d64846fb058829c45abb27cc65047ad9cbfb1

Download Submit
C:\Temp\i_vpnhcausmh.exe

Filesize
361KB

MD5
2126563646585592cc99e0e6872b7ca0

SHA1
5c2a251019bd680f7e88e896b479b25f848b3f48

SHA256
bc122f7f4c73eea3d95c71b92b49a41327a99a042a2e94f193d2a7a4129019f0

SHA512
f29e0af175f1a13a2909b324e4788fda839da47f4c9a0e513f93a5573b3655b90e888a03806a3c7ac1465e32bc69b2c08c094b56149aab6902060a41f6f47945

Download Submit
C:\Temp\i_wrojdbvtoi.exe

Filesize
361KB

MD5
f13544efa6c76b5629222ebc37a0ae53

SHA1
f9c33c85af21bda3ab4b8a13c78c1784932e75f0

SHA256
6c8704f2e57c6ac959391f2061548c0760c6b0fe3f8ed641ca3d0192961161ac

SHA512
2d62cc2a8ac614d16f2d84882b3c59414eb53ff65bf02fcb7b6b30f722cef0600a1507b887844e73df2500327592023a740473dcbc37cccfcce49af47769f9eb

Download Submit
C:\Temp\rljdbvqoig.exe

Filesize
361KB

MD5
336146dec619051115a9c9d32f10362c

SHA1
f0bb3f3adca1ce9eb3fe09f203bab8c2213ac388

SHA256
f7273d7a193441d7456127687fa571007fd58f79e420309a6729b5e9c7a2c9b4

SHA512
3d4336d7187824b3c86330c2b622925c7b54985ef4474f155bbb4a3c12a7164a3355bd4c6abc7256fd2782466339265f955c8c3a95d9ad4c9b35ac9b28589f34

Download Submit
C:\Temp\tnifaysnkf.exe

Filesize
361KB

MD5
d0822ec35b503152df841c244adab542

SHA1
3708ebcc8039f8ac5cfbe0aeb024938a489a0b81

SHA256
a61790dbbec04e0bce8885bbcc0569aa75f91a2e87bcdc05c36c883e11428557

SHA512
7ff0ae86ad4a038fb6cdc6e49b10b1463f19a4e8e74f8a7cc988386b778398ab158ab9c45fedb1a1895e9e01fef151750336a755d10f3f1b6a5450657902a853

Download Submit
C:\Temp\usmkezxrpj.exe

Filesize
361KB

MD5
1b339f627746209e1f7d4a10f18e49b7

SHA1
afc97a5f3f7154674f7ca2dcca88bc67bd47fd57

SHA256
cad3bc61aa3399d40bd8f2c78a6f325f0772e4995df8134fca6df4157039889a

SHA512
7686f6b6da7c0a55f6fd25760603d20614abaf5f87c25ee625635450f58f8a4473e0994a954f6b76dd6aca09efaf39b3df3900b41aa606cfec88be7372d89d28

Download Submit
C:\Temp\vpnhcausmh.exe

Filesize
361KB

MD5
2ec0cbdf61b0cad8db0e2485d3a727ff

SHA1
1fcf13aa64e3a574487eaf4b2e753abe851ba386

SHA256
81a97b15e805b1251d84fd545874cff77c450dad16a36012c43dd00f22910674

SHA512
603a4bce25d52f24018dd5eedfb169487269b699cb45a29225dd6825626aa01fdef5f17d4d4c5e26646a4c6c86f87d5cec872c27fd4b05cd041f64462182a8f7

Download Submit
C:\Temp\wrojdbvtoi.exe

Filesize
361KB

MD5
4ec6ebbe4a25e059f93804a069b67040

SHA1
48185c0ec077273d34482178d51cab5f638f658e

SHA256
48aa741b0dcd6c4ea0d0d2ee43ca6c142c6b5c41aca59daf78b70e5769d34497

SHA512
d70c43e6ba17d1eaafa793035803d0ea1cf0d48b9a1640bed3d083e536ad4da3da089c015b489142620bb4c71696630ba00557712220d85d13531b79c977ab98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf873df22546f9ca487cec07aff0b3a0

SHA1
6ca490e48be641fe51809f89c92c5d20d060f99e

SHA256
2b4576f3223ad387a312357fb1cd6c944d458f88b7e23f349c6ef7b20962b7ba

SHA512
300b0f9e49f7f4b74a0ee308b9e2be2639c8a8e4034703c9ed82baf7e7f34f2a8a25fcdce9a77f7b1589da1162cdd949f427be76059c60575e4dd0a376c5af0f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c1c0a616fdc500ca1c57a801a2d4b33

SHA1
3bf75c9755445cd1e5e136d0a9834b9fb561ce70

SHA256
fd102af4f01d2c7313b76e07ac37ac9c8be8656b5d9c47892fb9d1d30b89e0f4

SHA512
28ea1ddb367363343f05368ad91e97681bfbf5d9a91ae2abb23d97392e16ee116f3d8541c063e0237040ff22a7b3100106542f8855cc8eb9a271c997a45a3d7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64933cd00005a5f1321d41ef958d82f1

SHA1
4cdf720bd3bd4d099ee6ac8b4f879ba77ddacc3f

SHA256
414a95bc1726acabc27b11e0ff8bf02f468688f3c2318c1a8c4a68aaa3bec721

SHA512
7de3120cbe57aa0d897e1d0e14377722d222bbce005661cef52285bd5725ade4348f108cd2ca296a6b98bd9d5171a000c0602fab41701e4a3f7c2a3fab0772ad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c078b4f1df268e1a3b724954dfd3f242

SHA1
cbd0606269e5c0e184eb9bc019daa240ecc3ea31

SHA256
7fef2830e0179fd852b665b8a23af5cb26f9bd4efd970d48dd8d7f90b83ed087

SHA512
dde78d6709a3a4a56d5aa63979d3ad279e97e841a43a67323cd5d70076eb68d4f68fff57d4d8ee025fef9c0e748557724879e1efe51d17cb86d5571b9288d2ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3848d5c039fd1d74f638b8252ea438a

SHA1
324624c53e8a2db7feb7d74bf765ff75f869d8a2

SHA256
8f7aa31a3f86d33d045616d95d33d68fc80964ef9ab3fb21199237ab00bf2efe

SHA512
231dfae93754b12d7e7ea38b470ba666f9b105e266949ec351d87eca2329a7851b9efd49a769b8a385ebb3c262a9069e02c7001b03bcb5c0e708e3295db3798d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0206261e1e9b0661b63e9a8c9277cf8f

SHA1
0fec76b8b094e60eeab167bf63c5cae9090983b9

SHA256
c9c4d77573d955e4214c4968976b2c76101464d071601fecb6f2477274c9a68a

SHA512
2163b0327b88a569875d98b5781b510b64b8f556cc4968d92a340fecc9f5f525b210d5951772d29ece52da3bdde72e2e4ac769809e65634c2e71de40fb48d53a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efff86ae90157f3a6b5f4131d1fb8ead

SHA1
e681c5e7295f92c408549324834c131d26b7d1c6

SHA256
fc10f6320633b0b3f8f72bc5ed86298425d0a7c6779826f87e2d2cc2ca397442

SHA512
70ddc0fa4a3842bd59a97d6af75181896879ee7426dd30a6faf2e762e7c92854c71fbf8df0eb0af1db2f55ac7f90a2338b04ab803d49d121ffdfbbaa6cbce149

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ebc7574ad0a0300e22c3877fa7502ba

SHA1
b8afa7b0e7127250025b2b94553fd858118dd12a

SHA256
294219c7138ca57357af4b36b04ffa35fbf8f18d45387b229c43f14247a129dd

SHA512
734aa0bc2bfaf0eb3c760f51e8fa0117d996b6be4df1d48a1b49861418f089faa3a046614659f5d611e298352912f199f2d7e92656dbf044b6ff5e89f37d666f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b7b50021a3e74895fd3b599f896def1

SHA1
86a0f075d590aa757d06f9cbca2afab9b344342a

SHA256
2add474b92738959ef052006fecd2cbc2d8292b7240e80e1b3b7e668040ec0de

SHA512
2888f2292d241406623161c797b466d9663d71f01abf28f80d0b54127043c9ba4b33f1c2265e7b27b54953eb8e835737fd6356f0a1613e9a338cff34ba6a5b60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
843d2c3555e93ca124f228b1444bec3b

SHA1
730ae198c81f9c5e52aa04e2ca7668e5dbaf3bc1

SHA256
e83843a99b3ebcc6c388f69ccd7d9f9e8ee792c8f8fed1eb1b70298742b30334

SHA512
59c2157f1a876cee5e3f35b8b82201dc381db4e1a5ad76fb56a18700263f44db1e11e9ccf39ddb8d221d4a32cc46f684a965c3b3133fd75140151148838f4698

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e07582e30ca05259f9375bf47ffa5589

SHA1
6178823d381a4ac680aaa917b5c530b42f2a5a7a

SHA256
46216c9e4edec137b362d3231c51a07863cd16b74f81c104942c68590f663e7e

SHA512
d2576e8955a7fef3c44ef5a64a7b72a8d7fd957efdc062e244246bd8152e0a398e5ffa20caf7e36f95ee2618c7b39f4c6a0c983f106c8fd1edf74ef428f3ecdd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67656147fdbf222519099faad54783a7

SHA1
4b58bba8bb43c9bc3336ceda8771de6f78b695c5

SHA256
cbf47eb2ece435645ee6c60509c059e4f2e076ed3f55514639052a4d796e9fa6

SHA512
39c595214db1a499af1c75903de9ca584fc3c6984cffa404b8c81816a408ae44d0614c1e1d2c4e54951ad37c517c41a6802089c8cfb3863d00175ae75bb75275

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
136f762b85ec7e985daaf871a29bd712

SHA1
25f56629b132a37527498bcdadc0925ad38d48f5

SHA256
f4b727e74202007a6c09a2857fb2e13d3b9437ad4b3ad2ac53e673f817e04b64

SHA512
c5c50889a0288a070e556ea51bb9836bbadc9a24fa34c2155bcbeb9ac5a44f7f4e8f4484c6f8e3753c17cadbfca727461c805b41ef2bf1e573d054dad1b5bb22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e546b01f81a7b475cb4f185954e597c2

SHA1
b06de97010885022fb4b7445a939eec998bba633

SHA256
f8206fc3920ecdb058c55a3491a6900ece021f969555aa3cc93c20d1c108c547

SHA512
61aa7b355229c9371da2ad019dfae8360a7d7479cad84fc0478178c4c186a74848436078b3de08dffa4137131eb1b7cd9338493f81f2ee6b32f23835d1629ddf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a55981ce983f2c39769f85f6d788243

SHA1
e1bb389307012dffa573473ab80564830daab84f

SHA256
36a877f778e845d36d7602dd235b8d7c4a9e209b13df17a73f3b9f9ae09aa322

SHA512
17e3337d4602cd4917b0110631506e534c6c200da5b9dc8a197c0a73746a8158a6956e4a9fb4aafdc4aafadc950fae09074f52d075b1de0999e20b8ff4423568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e579da6c5fcbfd669e90069aab964cbd

SHA1
01429ca657feaa1c36c2c11dd65d639da3377e50

SHA256
c835ee56a872a1e832868aa9461f6e30ecc05d5cbbc6382601388a366bd6fdb2

SHA512
00915fcdfc09cd06e5cc2cae14dec74f9b4d4ba4d856d56b4fb54badb6781ca3e0daee2ba5e65d4c0801f2b735fae40dd83c3e500f24f22b8820efc90a54cbda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
970335871b99e17a9fda7aac5542dedc

SHA1
64faea776898985790845e3ffb44fb5ebd7b49df

SHA256
93d2ad76b90cde291f7c71c303dcc26bab1151ec4bd6bc6ec8a376e37885c8a1

SHA512
4f7750c6650949456f98551384801e090fb79f6e6d06061ce3b35f2d08807c4da02b64f9830ba3f0c050804be4345b72463abbf3b1ddec58dedc9f498bac1404

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b78588f61d8cd618e944feaab05e2f5

SHA1
b56344c833e86b1c138c5c364396db8e8ba4d69c

SHA256
a44144a9053d775caca1108f6930e747b2dde565b28f62e6138c743c0dd1f4aa

SHA512
497e9798d216034bff04bb13f774ba4b5e036962a67999a6d7af08292b5644590bb0344c3dfbc434d0e784d9ca7d083cb8b36a20bf3bccfb5823a2beeea7e663

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a285e0f4fe8e59ffbf5beb58c6e65a62

SHA1
ce31c9d22b374d296295826f50152c5b45979be6

SHA256
b4361c08ad4439298f71c007266bf1541e892a478a6198bceec9d0986aef5f56

SHA512
44f063202de2aa39c6fb57697194fdf76508af3c66fdfd49348b5d64a677d0ad730d78c9a01103265f3c84e8bed71deafe1451df2e343be292b82778ee177259

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9287bf265f5fef4b5cc8df03b766303a

SHA1
86870edc39d6d59c5a4f46badfebace2b5f23d7f

SHA256
4a1b7935e15ce5dab711721d2a4cf57fc90588f56c6b9050923c9753d5eb2c0c

SHA512
fd8dcd3c4eddd573acab533b204044abf30a1dd7012de741158f6a18522cb07f5b50535cde92bdfdc1ecdc5a9b4aa18a6252778b50f98b0eacdf25b3939b283b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBD6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC37.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Temp\CreateProcess.exe

Filesize
3KB

MD5
70848c225cea56842cfaf4afc5163b64

SHA1
64e2a8f7334e86de5183d78d7755a33374879d7d

SHA256
0acb27486c0bbcafa52cc88eb67c2d16248154945d9fc8c9085437b198b5117f

SHA512
e42eec50baee3bdfbe6f20c638447f865e233cf37fdb31518201248b97ff0a4dfa85032d47d6acef4e6fc131c6d1013dbb976502a7d992f6d3023210c8042dd9

Download Submit
\Temp\rljdywqoidavtnif.exe

Filesize
361KB

MD5
123d86555482c1b991540b9e3262fee2

SHA1
4653b9eeba12047d29a3128440f2d708240b7faf

SHA256
169538fea503958c24b587364bfb4dfc8c7e525af0c8bb7dbfe3e5a0af7eee74

SHA512
8d8205d6c79c8f68d4813a120331cd8ff4c7f119ea399fc17a041d33fde01aa35fd58decdd043273b44607e19668cd9260ee946fcf743e12d46b7ee175734925

Download Submit